Re: Hardware vs Software Firewall/Router

["James Lee Gromoll" <jgromoll () hotmail com>]

My $.02,


1. If you use software loaded on each host exposed to the web, then you will 
have failed right off since any attacker all ready hits the host before he 
is dealt with.

2. If you mean to use software loaded on a PC acting as a firewall, then 
this is a much better idea and offloads the system overhead as well.

3. If you plan to use a hardware solution, you still have somewhat of a 
software solution anyhow. This is because now the software is simply burned 
into PROMs or the like, but in the end it is still code subject to 
compromise. While it is perhaps a bit tighter than others it is still code, 
and i have faith all code can eventually be exploited.

4. I beleive the best approach is a combination of hardware and software 
solutions.

5. Routers are good. They can segment and isolate your net to a great 
degree. Some routers offer advanced features that allow a high degree of 
control over traffic on the net (Port filters, etc.) I would get at least 
one router.

6. Firewalls are also good. They definitely filter and limit traffic in and 
out of a net. It is best if you have a dedicated firewall be it an appliance 
or a PC running firewall software.

7. There are a few FREE firewalls available. IPCOP and Smoothwall are two. 
They require a dedicated PC with two NICs or one NIC and a modem. The set up 
is remarkably easy and a 200 MHz PC will provide quite adequate bandwidth at 
cable modem speeds and T1 speed also.

8. For the cost of a cable/DSL one port router, it is silly to not have a 
router.

9. A simple low $$ solution would look like this

                WAN/Internet
                    |
         Linksys Single port Router         Cost <40$
                    |
               Smoothwall PC                Cost junker PC ~$100
                    |
                   LAN

10. These can be setup to be remotely administered, but I beleive the 
Linksys still has an unresolved vulnerability when remote admin enabled. 
Smoothwall can use SSH for remote admin.

11. The argument that the harware firewalls have more vulns may bear 
credibility, since the code on them can be quite unique and once compromised 
the fix may be more difficult to implement. Basically the same argument that 
it is easier to fix a Windows bug than it is to fix a BIOS bug. It really 
depends on the skill level of the programmers.

ps. Oh, by the way, Linksys is becoming Cisco.

> From: <nsm () e-paradise net>
> To: security-basics () securityfocus com
> Subject: Hardware vs Software Firewall/Router
> Date: 2 Apr 2003 03:11:54 -0000
>
>
>
> I work for a consulting company that services businesses with 30 to 200
> clients. Our IT Manager likes to use a Linksys, or a 3Com hardware
> firewall solution. He is also thinking of introducing the Symantec Raptor
> (I could be incorrect on the name) software solution. We are mostly a
> windows based firm with little *nix experience, so most software
> solutions are out already.
>
> My reason for posting is:
>
> I would like to provide a valid argument for not using a software
> solution, and making our hardware solutions a little more “upscale”, say
> PIX, Nokia, Checkpoint etc. The IT managers argument is that he finds far
> less vulnerabilities in the software solutions or the Linksys and 3Com
> than what he does in the PIX etc.
>
> I am of course familiar with all of the basic differences, I am more so
> looking for valid argumentative points.
>
> Any input would be greatly appreciated.
>
> -------------------------------------------------------------------
> SurfControl E-mail Filter puts the brakes on spam,
> viruses and malicious code. Safeguard your business
> critical communications. Download a free 30-day trial:
> http://www.securityfocus.com/SurfControl-security-basics


_________________________________________________________________
MSN 8 helps eliminate e-mail viruses. Get 2 months FREE*.  
http://join.msn.com/?page=features/virus


-------------------------------------------------------------------
SurfControl E-mail Filter puts the brakes on spam,
viruses and malicious code. Safeguard your business
critical communications. Download a free 30-day trial:
http://www.securityfocus.com/SurfControl-security-basics